Whonix

From The Hidden Wiki
Jump to navigationJump to search

Anonymize Everything You Do Online Template:Title Template:Header {{#seo: |description=Comparison of Template:Project name, Tails, Tor Browser Bundle, QubesOS TorVM and corridor. About anonymity, privacy, security, circumvention, attacks, fingerprinting, usability, features, etc. |image=https://www.whonix.org/w/images/2/2e/Balance-154516-640.png }}

Introduction

This page contains a detailed comparison of Template:Project name, Tails, Tor Browser, Qubes OS TorVM and corridor. Although Qubes' TorVM -- a dedicated ProxyVM providing torified networking to all clients -- is now deprecated, it has been kept for comparison purposes since it acted like Template:Gateway product name (sys-whonix). <ref>The Qubes website states:

If you are interested in TorVM, you will find the Template:Project name implementation in Qubes a more usable and robust solution for creating a torifying traffic proxy.

</ref>

If any incorrect or outdated information is noted, the reader can either directly edit this page, or contact us and we will correct it as soon as possible. Also see the statement about the neutrality of this page.

Last update

Table: Comparison Information Currency

[[Main Page|Template:Project name]] Tails Tor Browser Qubes OS TorVM corridor (tor-talk)
Compared Version <ref>At the time of last comparison.</ref> style="background-color: Template:Green"| 14 style="background-color: Template:Green"| 2.4 style="background-color: Template:Green"| 6.0 style="background-color: Template:Green"| 0.1.3 style="background-color: Template:Green"| ?
Latest Version <ref>Most recent stable version.</ref> style="background-color: Template:Green"| Template:VersionNew style="background-color: Template:Yellow"| 4.2 style="background-color: Template:Yellow"| 9.0.4 style="background-color: Template:Green"| 0.1.3 style="background-color: Template:Green"| ?
Status style="background-color: Template:Green"| This wiki page is up to date style="background-color: Template:Green"| This wiki page is up to date style="background-color: Template:Green"| This wiki page is up to date style="background-color: Template:Green"| This wiki page is up to date style="background-color: Template:Green"| This wiki page is up to date

General

Table: General Factors

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Focus on anonymity, privacy and security Template:Yes Template:Yes Template:Yes Template:Yes Template:Yes
Type General purpose OS available as VM images and physical isolation Live DVD / Live USB / Live SDCard Portable browser General purpose OS, VM plugin for Qubes OS Tor traffic whitelisting gateway
Supported hardware x86 compatible and/or Virtual Machines + <ref>Custom-Workstation: self-made builds can run on any real or virtual hardware so long as they are behind a Template:Gateway product name (sys-whonix). Tor Browser binaries are limited to a handful of platforms - Windows, Linux, BSD and Mac.</ref> x86 compatible and/or Virtual Machines Windows, Linux, Mac and Virtual Machines Any capable of running Qubes OS, see: System Requirements and HCL Any Linux (?)
Based on Tor, Debian <ref>Template:Workstation product name (Template:Whonix-ws): Other Operating Systems are also supported. With respect to Template:Gateway product name (Template:Whonix-gw), developers are agnostic about supporting any other secure distributions. Of course another operating system could be used as the base, but it requires significant effort.</ref> and a Virtualizer <ref name=virtual>The default downloads are for VirtualBox, but this is subject to change in the future. Physical Isolation is an optional security feature for advanced users. Experimental, optional support is available for VMware. Images can be built for other virtualizers, but it requires some work, see: Other Virtualization Platforms.</ref> when not using Physical Isolation Tor, Debian Tor, Firefox Tor, Qubes OS, Fedora iptables, sh
Gateway and torify any operating system <ref>For advanced users.</ref> Template:Yes <ref>See Other Operating Systems.</ref> Template:BlueBackground Not a torifying Gateway Template:BlueBackground Not a torifying Gateway Template:Yes <ref>See also HVM.</ref> Template:BlueBackground Not a torifying Gateway
Live Mode style="background-color: Template:Green"| [[Template:Project name short_Live|Yes]] <ref>[[Template:Q project name short|Template:Q project name]]: DisposableVMs</ref> Template:Yes Template:No Template:No Template:No
Live DVD Template:No Template:Yes Template:No Template:No Template:No
Live USB Template:No Template:Yes Template:No Template:No Template:No
USB bootable style="background-color: Template:Yellow"| Yes <ref name=boot>Users can install the host operating system on a USB.</ref> Template:Yes style="background-color: Template:Yellow"| Yes <ref name=boot /> style="background-color: Template:Yellow"| Yes <ref name=boot /> style="background-color: Template:Yellow"| Yes <ref name=boot />
USB installer feature Template:No <ref>Template:Project name does not have a fully-featured USB installer. Installing the operating system on a USB is recommended, but the decision is left to the user.</ref> Template:Yes <ref>Tails has a professional USB installer.</ref> ? Template:Yes Template:No
Requires VirtualBox <ref name=vmneutralcolor>This has a neutral blue color, because the project dictates whether or not a specific virtualizer is required.</ref> Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No
Requires VMware <ref name=vmneutralcolor /> Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No
Requires Qubes OS <ref name=vmneutralcolor /> Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No Template:BlueBackground Yes Template:BlueBackground No
System requirements style="background-color: Template:Yellow"| Higher style="background-color: Template:Green"| Lower style="background-color: Template:Green"| Lowest style="background-color: Template:Yellow"| Highest style="background-color: Template:Green"| Lowest
Can run in VirtualBox Template:Yes style="background-color: Template:Yellow"| Yes, but not recommended. <ref name=tailswarnvm>https://tails.boum.org/contribute/design/virtualization_support/</ref> Well documented <ref name=tailsdocvm>https://tails.boum.org/doc/advanced_topics/virtualization/</ref> Yes, but (?) style="background-color: Template:Red"| No <ref name=qubesosinvirtualbox>This has a red color because it raises the bar for new users, who must expend significant effort to try it.</ref> Template:No
Can run in VMware style="background-color: Template:Yellow"| Yes, but not recommended and unsupported <ref>This is only available as an experimental proof of concept, see: VMware. It is not recommended because VMware is closed source software. Template:Project name developers do not support or test this configuration.</ref> style="background-color: Template:Yellow"| Yes, but not recommended <ref name=tailswarnvm /> Yes, but (?) Template:BlueBackground No <ref name=qubesosinvmware>This has a neutral color because Qubes OS is open source, while VMware is closed source and should therefore be discouraged.</ref> Template:No
Can run in Qubes OS Template:Yes <ref>[[Template:Q project name short|Template:Q project name]].</ref> Template:Yes <ref>https://www.qubes-os.org/doc/tails/</ref> style="background-color: Template:Yellow"| Probably yes, but without security features provided by an Isolating Proxy Template:Yes Template:Yes
Persistence <ref>Custom installed applications and user data can be stored and survive reboot.</ref> style="background-color: Template:Green"| Full style="background-color: Template:Green"| Optional for Live USB Template:Yes <ref>Depending on a user's settings, bookmarks and passwords can be saved, and downloaded files retained.</ref> style="background-color: Template:Green"| Full style="background-color: Template:Green"| Full
Number of developers Multiple <ref>See Team.</ref> Multiple Multiple Multiple One
Maturity Project since 2012 Project since 2009 <ref>https://en.wikipedia.org/wiki/Tails_%28operating_system%29</ref> Project since 2002 <ref>https://en.wikipedia.org/wiki/Tor_browser</ref> Project since 2012 (now deprecated) Project since 2014
Open source Template:Yes Template:Yes Template:Yes Template:Yes Template:Yes
Non-anonymous developers <ref>This matters because until Template:Code2 become standard, (non-)anonymous developers might imply trust. A project's reputation, formal education and expertise are other relevant factors.</ref> Template:Yes Template:No Template:Yes Template:Yes Template:No (?)

Security

Network

Table: Network Security

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Responsibility for building Tor circuits Tor client running on Template:Gateway product name Tor client running on workstation Tor client running on workstation Tor client running on TorVM (Gateway) Tor client running behind corridor-Gateway
Protection against IP address / location discovery <ref name=rootexploits>Protection from root exploits, specifically malware with root rights.</ref> on the Workstation <ref name=workstation>The Workstation is where the browser, IRC client and other user applications are run. The Gateway is where Tor and the firewall are running.</ref> Template:Yes <ref>Template:AnchorTemplate:Project name protects against IP address / location discovery through root exploits (malware with root rights) inside Template:Workstation product name (anon-whonix), although this feature should not be unnecessarily tested. Successful attacks by adversaries cannot yield the user's real IP address / location, because Template:Workstation product name (anon-whonix) can only connect through the Template:Gateway product name (sys-whonix). More skill is required to compromise Template:Project name due to its design; also see [[#Attacks|attacks on Template:Project name]].</ref> Template:No <ref name=realip>If Tails is compromised by a root exploit, the adversary can simply bypass the firewall to discover the user's real IP address.</ref> Template:No <ref name=realip /> Template:Yes Template:No <ref name>corridor is not designed for that purpose. A compromised application could contact a colluding Tor relay.</ref>
IP / DNS protocol leak protection style="background-color: Template:Green"| Full <ref>IP / DNS leaks are impossible in Template:Project name, since Template:Workstation product name (anon-whonix) is unaware of its external IP address.</ref> style="background-color: Template:Yellow"| Depends <ref name=ipleak>Please read how Template:Project name protects against realistic threats first. IP leaks are possible in Tails if applications are configured incorrectly or have a critical bug - this similarly applies to the Tails platform itself. The Tails Security Page notes:

Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.

</ref>
style="background-color: Template:Yellow"| Depends <ref name=ipleak /> style="background-color: Template:Green"| Full style="background-color: Template:Yellow"| Depends
Workstation does not need to trust the Gateway Template:No Template:BlueBackground Not a gateway Template:BlueBackground Not a gateway Template:No Template:Yes
Takes advantage of entry guards <ref>https://www.torproject.org/docs/faq.html.en#EntryGuards</ref> Template:Yes Template:No <ref>https://tails.boum.org/blueprint/persistent_Tor_state/</ref> Template:Yes Template:Yes Template:BlueBackground Not applicable <ref name=uptotheclienttobuildtorcircuits />

Stream Isolation

Table: Stream Isolation

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Stream isolation <ref>Stream isolation provides protection against identity correlation through circuit sharing.</ref> Template:Yes <ref>For further details, see stream isolation.</ref> Template:Yes <ref>Separate Tor streams in Tails.</ref> Template:Yes <ref name=browser>Ever since the following ticket was implemented: Tor Browser should set SOCKS username for a request based on referer.</ref> <ref>Tor Browser comes with its own Tor instance. It is just a browser, not a live system or an operating system.</ref> Manually <ref>The user must configure applications manually to use stream isolation. In Template:Project name, all applications that are installed by default (like curl, wget, ssh, tbb, torbirdy, and others) are configured to use their own SocksPort. Tails also has this feature, but it is not as extensive as Template:Project name. When QubesOS TorVM was last checked, it did not provide stream isolation.</ref> Template:Yes
Enforces stream isolation when one of X Workstations behind the same Gateway is compromised in the default configuration <ref name=xworkstations>This is relevant when workstations x1, x2, ..., xn are all running behind the same gateway y.</ref> Template:BlueBackground Not a gateway Template:BlueBackground Not a gateway Template:Yes <ref>See: https://groups.google.com/d/msg/qubes-devel/le7-Rrq6yxY/k_fQdSTzvLAJ</ref> Template:Yes <ref name=uptotheclienttobuildtorcircuits>Since the responsibility for building Tor circuits falls on clients running behind corridor-Gateway.</ref>
Stream isolation in Tor Browser Template:Yes Template:Yes Template:Yes ? ?

Updates

Table: Updates

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Operating system updates style="background-color: Template:Green"| Persist once updated style="background-color: Template:Green"| Incremental upgrades <ref>See https://tails.boum.org/contribute/design/incremental_upgrades/</ref> style="background-color: Template:Green"| Persist once updated style="background-color: Template:Green"| Persist once updated style="background-color: Template:Green"| Persist once updated
Update notifications Template:Yes <ref>See whonixcheck, [[Template:Project name short_News#Template:Project name_Version_Check_and_Template:Project name_News|Template:Project name news]].</ref> Template:Yes Template:Yes Template:Yes ?
Important news notifications Template:Yes <ref>See [[Template:Project name short_News#Template:Project name_Version_Check_and_Template:Project name_News|Template:Project name news]].</ref> Template:Yes <ref> A GNOME libnotify notification pops up with a link and offers the user an opportunity to subscribe to news by email.</ref> ? <ref>This might be possible via the browser's https://check.torproject.org function. This was never implemented, even after old Tor Browser bundles became a popular exploit.</ref> ? ?
apt-get unreliable exit code security workaround <ref name=Security_Issues_when_using_apt-get_update_in_Scripts>See security issues when using apt-get update in scripts.</ref> Template:Yes <ref>The whonixcheck function Template:Project name short/whonixcheck/blob/master/usr/lib/whonixcheck/check_operating_system.bsh check_operating_system uses Template:Project name short/whonixcheck/blob/master/usr/lib/apt-get-wrapper /usr/lib/apt-get-wrapper.</ref> ? ? ? ?

Hardware Serials

Table: Hardware Serials

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Hides hardware serials from malicious software with default settings Template:Yes <ref>See Protocol-Leak-Protection and Fingerprinting-Protection for details.</ref> Template:No <ref name=malware>By default this information is not sent to anyone. It is only at risk when the machine is compromised by malware.</ref> Template:No <ref name=malware /> Template:Yes Template:No <ref name=malware />
Hides hardware serials from malicious software when additional hardware is assigned Template:No Template:No Template:No Template:No Template:No
No collection of hardware serials style="background-color: Template:Green"| Yes style="background-color: Template:Green"| Yes style="background-color: Template:Green"| Yes style="background-color: Template:Green"| Yes style="background-color: Template:Green"| Yes
Hides the MAC address from websites Template:BlueBackground Invalid <ref name=invalid>The design of assigned MAC addresses means that destination servers cannot see them. Therefore yes, they are always hidden from destination servers.</ref> Template:BlueBackground Invalid <ref name=invalid /> Template:BlueBackground Invalid <ref name=invalid /> Template:BlueBackground Invalid <ref name=invalid /> Template:BlueBackground Invalid <ref name=invalid />
Hides the MAC address from the local LAN <ref>This is a realistic threat considering some ISPs are based on LANs, which means they can see the MAC addresses of their clients. Hotspots can also see the MAC addresses of connected devices.</ref> style="background-color: Template:Red"| No, see footnote <ref>Please read [[MAC_Address|Template:Project name in public networks / MAC Address]].</ref> Template:Yes <ref>Tails spoofs the MAC address. This feature can be easily disabled.</ref> Template:No style="background-color: Template:Yellow" | Yes, but not enabled by default <ref>https://www.qubes-os.org/doc/anonymizing-your-mac-address/</ref> Template:BlueBackground Not applicable
Hides the MAC address from applications Template:Yes <ref>The virtual MAC address for Template:Gateway product name internal network interface (eth1) is shared among all Template:Project name users, because Template:Workstation product name can see it. However, Template:Workstation product name cannot see the MAC address of Template:Gateway product name external network cards (eth0).</ref> Template:No Template:No Template:Yes, by default, unless...<ref>Unless a physical network card is assigned to the virtual machine.</ref> Template:BlueBackground Not applicable
Defeats advanced Wi-Fi device tracking <ref>Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms</ref> <ref>A Passive Technique for Fingerprinting Wireless Devices with Wired-side Observation</ref> Template:No <ref>https://forums.whonix.org/t/your-mac-address-randomization-attempts-are-futile</ref> <ref>

MAC Address Introduction</ref>

Template:No Template:No Template:No <ref>https://github.com/QubesOS/qubes-issues/issues/2361</ref> Template:BlueBackground Not applicable

Forensics

Table: Forensic Issues

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Amnesic Template:Yes <ref>Tails is amnesic by design.</ref> Template:No <ref>Although Tor Browser is designed to prevent browser activity leaking to disk, the implementation could be faulty, or swap might still leak. Also see The Tor Project blog post Forensic Analysis of Tor on Linux and the full pdf results.</ref> ? <ref>A DisposableVM could be used with a TorVM. For a discussion of TorVM anti-forensics features, see DisposableVM versus local forensics?.</ref> Template:BlueBackground Not applicable <ref>corridor-Gateway itself is not amnesic. The amnesic feature must be implemented by the workstations (and possibly gateways) behind corridor-Gateway.</ref>
Local disk encryption style="background-color: Template:Yellow"| Should be applied on the host Template:Yes, for a persistent USB style="background-color: Template:Yellow"| Should be applied on the host style="background-color: Template:Yellow"| Should be applied on the host style="background-color: Template:Yellow"| Should be applied on the host
Cold boot attack protection <ref>See Cold boot attack.</ref> Template:No - should be applied on the host Template:Yes Template:No - should be applied on the host Template:No, planned <ref>https://github.com/QubesOS/qubes-issues/issues/716</ref> Template:No - should be applied on the host

Download Security

Template:Project name Tails Tor Browser Qubes OS corridor
Onion direct Template:Yes Template:No Template:Yes Template:No Template:No
Onion mirror Unneeded Template:No Unneeded Template:Yes <ref>Mirror by unman: https://www.qubes-os.org/news/2019/04/17/tor-onion-services-available-again/</ref> Template:No
SSL direct Template:Yes Template:No Template:Yes Template:No Template:Yes
SSL mirror <ref>

Having SSL supported mirrors may seem like an oxymoron. The common practice is to assume that mirrors are not to be trusted. Even if the mirror owners were trusted persons, it is still an open question how good their server security is. Even if their server security is exceptional, mirrors are generally also hosted in hosting companies and we cannot trust those. However, not all adversaries have extensive capabilities like being capable of mounting man-in-the-middle attacks, breaking server security or forcing the hosting company to turn over the keys and so on. Users who do not use verification are still better off downloading from a SSL supported mirror. Therefore, SSL protected mirrors work well against less sophisticated adversaries. In terms of numbers, this results in fewer users potentially ending up with maliciously altered downloads. </ref>

Template:Yes Template:Yes Unneeded Template:Yes Unneeded
OpenPGP signatures available Template:Yes Template:Yes Template:Yes Template:Yes Template:Yes
Signify signatures available Soon Template:No Template:No Template:No Template:No
Codecrypt (Post-Quantum Cryptography Resistant) signatures available Soon Template:No Template:No Template:No Template:No
Server not under control of hosting provider <ref>

It would also be safer if the download server was under the full control of the developers and not under control of a company, the hosting provider. Unfortunately that is not how things work today. Self-hosting is very expensive, requires a fast internet connection (home user contracts are not fast enough), and adequate physical security. Even the servers of The Tor Project are not hosted in a developer's home. </ref>

Template:No Template:No Template:No Template:No Template:No

Verifiable Builds

Table: Verifiable Builds Comparison

Template:Verifiable Builds Comparsion Table

Fingerprint

Table: Fingerprinting Issues

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
Network / web fingerprint [[Fingerprint|Template:Project name fingerprint page]] Tails fingerprint page TBB traffic is tunneled through Tor. Host traffic passes over clearnet ? ?
Network fingerprint: ISP cannot trivially guess the project type <ref>To discover if Template:Project name, Tails or TBB is running.</ref> Template:Yes Template:Yes Template:Yes Template:No <ref>Because TorVM's own traffic is not torified.</ref> Template:Yes
Network fingerprint: ISP cannot guess that a non-persistent Tor directory is in use Template:Yes Template:No <ref>Tails does not support persistent entry guards yet.</ref> Template:Yes Template:Yes Template:Yes
Clearnet traffic All Template:Gateway product name and Template:Workstation product name traffic is tunneled through Tor. Host traffic <ref>Operating system updates, use of a host browser and so on.</ref> uses clearnet None, unless other users sharing the same internet connection are not using Tails TBB traffic is tunneled through Tor. Host traffic <ref>Operating system updates, use of an untorified second browser and so on.</ref> uses clearnet The gateway is not torified, therefore emitting clearnet traffic <ref>Due to package selection, it will probably also reveal that it is an Qubes OS TorVM.</ref> The gateway is not torified, therefore emitting clearnet traffic
Network fingerprint: ISP cannot guess which anonymity software is in use due to the ratio of Tor and clearnet traffic Unknown <ref>Template:Project name users might tend to have more traffic than TBB users, as operating system updates of Template:Workstation product name (Template:Whonix-ws) and Template:Gateway product name (Template:Whonix-gw) take place over Tor. It is unknown if the data volume is specific enough to guess a transparent or isolating proxy is in use, or if a significant proportion of other Tor users route a large amount of traffic through Tor (to help disguise Template:Project name users). Research prior to the foundation of Template:Project name suggested that a large amount of file sharing occurred via Tor. Classical file-sharing is likely to have far greater upload than Template:Project name, but it is unclear how many people have disabled upload settings or moved to methods which have minimal upload, such as file hosters.</ref> The ISP can guess a Tor live system is in use, unless... <ref>The unsafe browser is in use, or other people are sharing the same Internet connection who are not using Tails.</ref> ? Not applicable <ref>See above: Network fingerprint: ISP cannot trivially guess the project type.</ref> ?
Network fingerprint: ISP cannot guess which anonymity software is in use because of tordate <ref name=tordate>The Tails Design about Time syncing states:

Our initial time guess based on the Tor consensus is probably easier to fingerprint, though: a fresh Tor is started, and restarted again right after the consensus has been downloaded.

</ref>
Template:Yes, does not include tordate Template:No, if the clock is grossly inaccurate when booting <ref name=tordate /> Template:BlueBackground No, not an operating system Template:Yes, does not include tordate Template:Yes, does not include tordate
Web fingerprint <ref>Fingerprint for the websites that are visited.</ref> style="background-color: Template:Green"| Same as TBB <ref>Template:Project name uses the original Tor Browser from The Tor Project, with the only difference being Tor runs on Template:Gateway product name instead of using the locally shipped Tor.</ref> style="background-color: Template:Red"| Not the same as TBB <ref name=not-exactly-same-as-tbb>Refer to the following Tails resources for the latest status update: (fingerprint) for the websites that you are visiting and evaluate web fingerprint.</ref> style="background-color: Template:Green"| TBB <ref>This is the original Tor Browser Bundle from torproject.org.</ref> style="background-color: Template:Red"| Does not include Tor Browser <ref name=torovertor>While preventing Tor over Tor, which is recommended.</ref> <ref>This could probably be installed manually, but users are generally not aware of fingerprinting issues. Further, they usually have trouble in using Tor Browser without the bundled Tor instance - which is of course recommended to prevent Tor over Tor scenarios.</ref> Template:BlueBackground Not applicable
Unsafe browser fingerprint <ref>Tails and Liberte Linux contain a so called "Unsafe Browser". The Unsafe Browser does not use Tor and it connects in the clear. It is available on these platforms because it is useful for registering on hotspots or for general (non-anonymous) browsing purposes.</ref> <ref>When using VMs:

When using Physical Isolation:

  • From Template:Project name 0.5.6 onwards, there is no unsafe browser. A separate third machine with clearnet access could be configured.</ref>
<ref>Tails Todo: Improve fingerprint of the Unsafe Browser</ref> ? ? ?
Network time synchronization runs at randomized times during the session Template:Yes <ref>This is useful for keeping the clock synchronized for long running sessions.</ref> <ref>See also Dev/TimeSync.</ref> Template:BlueBackground Does not continuously run network time synchronization Template:BlueBackground Not an operating system, does not include network time synchronization Template:BlueBackground Does not include network time synchronization Template:BlueBackground Does not include network time synchronization
Connection wizard prevents unwanted / accidental connections to the public Tor network <ref>Users who want to [[Hide_Tor_and_Template:Project name short_from_your_ISP|hide Tor and Template:Project name from the ISP]] should not connect to the public Tor network when starting the platform for the first time.</ref> Template:Yes Template:Yes ? ? ?
Includes Tor Browser from The Tor Project Template:Yes Template:Yes + patches Template:Yes Template:No Template:No
Privacy-enhanced browser <ref>Settings, patches and add-ons.</ref> Template:Yes, Tor Browser Template:Yes, Tor Browser + patches <ref>See Tor Browser.</ref> <ref name=not-exactly-same-as-tbb /> Template:Yes, Tor Browser Template:No Template:BlueBackground Not applicable
Secure distributed network time synchronization Template:Yes <ref>See TimeSync.</ref> Template:Yes <ref>See Tails - Time syncing.</ref> Template:No Template:No Template:No
Hides the time zone (set to UTC) Template:Yes Template:Yes Template:Yes Template:No Template:BlueBackground Not applicable
Hides the operating system account name <ref name=rootexploits /> <ref name=workstation /> <ref>It is best when account names are shared among anonymity-focused distributions.</ref> Template:Yes, set to Template:Code2 Template:Yes, set to Template:Code2 Template:No Template:Yes, set to Template:Code2 Template:BlueBackground Not applicable
Secure gpg.conf <ref>https://github.com/ioerror/torbirdy/blob/master/gpg.conf</ref> <ref>gpg.conf optimized for privacy</ref> Template:Yes Template:Yes Template:BlueBackground Not an operating system Template:BlueBackground Not an operating system Template:BlueBackground Not an operating system
Privacy-enhanced IRC client configuration Template:Yes Template:Yes Template:BlueBackground Not an IRC client Template:BlueBackground Not an operating system Template:BlueBackground Not an IRC client
Keystroke Anonymization

</ref>

Template:No Template:No Template:BlueBackground Not an operating system Template:BlueBackground Not an operating system

Miscellaneous

Table: Miscellaneous Issues

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
A warning appears when run in an unsupported / unrecommended virtualizer Template:Yes Template:Yes Unnecessary (?) Invalid (?) <ref>As TorVM may not run inside other virtualizers in the first place, although this is untested.</ref> Template:BlueBackground Not applicable
Security and anonymity check Template:Yes <ref>whonixcheck</ref> ? ? ? ?
AppArmor <ref>https://en.wikipedia.org/wiki/AppArmor</ref> is enabled by default Template:Yes <ref>https://github.com/Template:Project name short/grub-enable-apparmor</ref> ? ? ? ?
AppArmor profiles are enabled by default Template:BlueBackground Partial <ref>Additional profiles can be manually installed. Profiles are already enabled by default for Tor and obfsproxy.</ref> Template:Yes (?) ? ? ?

Flash / Browser Plugin Security

Template:Mbox

Table: Flash and Browser Plugins Security

Flash Tracking Technique Template:Workstation product name Tor on the Host
Proxy bypass IP leak style="background-color: Template:Green"| Protected style="background-color: Template:Red"| Insecure, leads to deanonymization
Protocol IP leak style="background-color: Template:Green"| Protected style="background-color: Template:Red"| Insecure, leads to deanonymization
Flash cookies style="background-color: Template:Yellow"| Reduces anonymity to pseudonymity. It is recommended to delete Flash cookies style="background-color: Template:Red"| Flash activity over clearnet and Tor can be linked, which leads to deanonymization (or a significant reduction in the anonymity set) if the skew is large and rare. Flash is also useful for additional fingerprinting, which has an adverse impact <ref name=bad>If the fingerprint is detailed enough, then linkage of activities and subsequent deanonymization becomes easier.</ref>
Number of installed fonts style="background-color: Template:Green"| The number of fonts inside Template:Workstation product name (anon-whonix) and the host (clearnet) operating system will differ, which is good for anonymity style="background-color: Template:Red"| The same fonts are reported for both clearnet and Tor Flash activity, which is harmful to anonymity <ref name=bad />
Exact flash player version style="background-color: Template:Yellow"| The Flash version is shared among many users, <ref name=shared-among-much-pepole>That is, it is shared among all up-to-date Template:Project name users, and some Debian users. In Debian's case that would be persons using the same platform that Template:Project name is based on (Debian stretch in Template:Project name 14.0.0.7.4). In addition, some users of Debian derivatives (like Ubuntu) would share the same Flash version.</ref> which is good for anonymity, since it reduces the impact of fingerprinting. The version is also probably different from the host (clearnet) operating system, which is beneficial style="background-color: Template:Red"| The same version is reported for Flash activity over both clearnet and Tor, which is harmful to anonymity <ref name=bad />
GNU/Linux kernel version style="background-color: Template:Yellow"| This version is shared among many people, <ref name=shared-among-much-pepole /> which is good for anonymity, since it reduces the impact of fingerprinting style="background-color: Template:Red"| The same version is reported for Flash activity over both clearnet and Tor <ref name=bad />
Language style="background-color: Template:Green"| Set to en_US for all Template:Project name users style="background-color: Template:Red"| Set to the user's local language setting. This is useful for fingerprinting, since it leads to anonymity set reduction <ref name=bad />
Exact date and time style="background-color: Template:Green"| This differs from the host (clearnet) operating system, which is beneficial (see TimeSync for details) style="background-color: Template:Red"| The same time / clockskew is reported for both clearnet and Tor Flash activity, which is harmful to anonymity <ref name=bad />
Exact screen resolution and DPI style="background-color: Template:Yellow"| ? style="background-color: Template:Red"| The same screen resolution and DPI is reported for both clearnet and Tor use, which is harmful to anonymity <ref name=bad />
Full path to the Flash plugin style="background-color: Template:Yellow"| This is shared among many people, <ref name=shared-among-much-pepole /> which is good for anonymity style="background-color: Template:Red"| Depends on the host (clearnet) operating system. In the worst case it could contain the operating system user name, which is fatal if it is the user's actual name. The same path to the Flash plugin is reported for both clearnet and Tor use, which is harmful to anonymity <ref name=bad />
Other factors <ref>Users can conduct their own checks on http://ip-check.info</ref> style="background-color: Template:Yellow"| Assume reduction from anonymity to pseudonymity style="background-color: Template:Red"| Greater possibilities for fingerprinting and linkage of activities, which is harmful to anonymity <ref name=bad />
Conclusion style="background-color: Template:Yellow"| A user's IP address / location / identity will remain hidden inside Template:Workstation product name (anon-whonix), but it is assumed to be pseudonymous rather than anonymous style="background-color: Template:Red"| Flash over Tor -- on the host, without software like Template:Project name -- is completely unsafe. If Flash is ever used over clearnet, linkage of activities is possible. In the worst case scenario, assume the strong Flash fingerprint can lead to full deanonymization

For further information about using Flash and other browser plugins in Template:Project name, see here.

Attacks

Circumventing Proxy Obedience Design

Introduction

This section presupposes the user is familiar with:

Template:Project name protects against discovery of a user's IP address / location via a successful root exploit (Malware with root rights) on the Template:Workstation product name (anon-whonix). <ref name=workstation /> Users should not deliberately test this feature and risk becoming infected with malware, since all the data inside Template:Workstation product name (anon-whonix) would become available to the attacker.

Template:Project name is not a perfect or unbreakable system, nor can it ever be. However, Template:Project name does raise the bar for attackers, meaning greater effort and skill is needed to discover the user's real IP address and successfully deanonymize them. The following table summarizes the defense-in-depth provided by the Template:Project name design.

Terms that are used in the following table are defined below:

  • TBB: Tor Browser Bundle.
  • Fail: the IP address / location of the user is compromised.
  • Safe: the IP address / location of the user is hidden behind Tor.

Overview

Table: Proxy Circumvention Threats

Attack Template:Project name Default Template:Project name Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM corridor
1. Proxy bypass IP leak <ref>An application not honoring proxy settings. Example: Tor Browser Bundle: Firefox security bug (proxy-bypass).</ref> Template:Safe <ref name=firewall>Prevented by the firewall.</ref> Template:Safe <ref name=firewall /> Template:Safe <ref name=firewall /> Template:Safe <ref name=firewall /> Template:Fail Template:Fail Template:Safe Template:Safe
2. Protocol IP leak <ref>This occurs when applications leak the user's real IP address. See [[Security in Real World|Template:Project name Security in the Real World]] for examples where Template:Project name prevented them. Leaks are often circumvented in Template:Project name because Template:Workstation product name (anon-whonix) is unaware of the real IP address.</ref> Template:Safe <ref name=own>The workstation does not know its own external IP address.</ref> Template:Safe <ref name=own /> Template:Fail Template:Safe <ref name=lan>The VM replaces the IP address with an internal LAN IP, which is safe.</ref> Template:Fail Template:Safe <ref name=lan /> Template:Safe Template:Safe <ref name=lan />
3. Exploit <ref name=browser-zero-day-example>Consider the following example. A user visits a website over Tor with a torified browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.

</ref> <ref> The vulnerability "only" allows the adversary to gain user rights, not root. The adversary could then remotely start the Unsafe Browser in order to discover the user's real IP address. This attack is circumvented by Template:Project name, because any applications running inside Template:Project name, including malware, can only connect through Tor. </ref>

Template:Safe Template:Safe Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script>Tails bug report The Unsafe Browser allows to retrieve the public IP address by a compromised amnesia user with no user interaction contains an example how this attack could be accomplished.</ref> Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script/> Template:Fail Template:Fail Template:Safe Template:Fail
4. Exploit + root exploit <ref name=browser-zero-day-example/> <ref>

The vulnerability "only" allows the adversary to gain user rights, not root. The adversary gains root rights by escalating privileges with a second vulnerability. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Template:Project name, because the firewall runs on another (virtual) machine. Further, any root applications inside Template:Project name, including malware with root rights, can only connect through Tor. </ref>

Template:Safe Template:Safe Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script/> Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script/> Template:Fail Template:Fail Template:Safe Template:Fail
5. Root exploit <ref name=browser-zero-day-example/> <ref>

The vulnerability used allows the adversary to gain root rights. The adversary is then capable of tampering with iptables rules to make non-Tor connections and so on. This attack is circumvented by Template:Project name, because the firewall runs on another (virtual) machine. Further, any root applications inside Template:Project name, including malware with root rights, can only connect through Tor. </ref>

Template:Safe Template:Safe Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script/> Template:Fail <ref name=tails-unsafe-browser-clearnet-ip-script/> Template:Fail Template:Fail Template:Safe Template:Fail
6. Exploit + VM exploit <ref>Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine, and then installs malware.</ref> <ref>

A second exploit is then used to break out of the virtual machine. The default [[Template:Non q project name short|Template:Non q project name]] and [[Template:Q project name short|Template:Q project name]] platforms are vulnerable to this attack. Template:Project name with physical isolation defeats this attack, because the Template:Workstation product name host does not know its real IP address, only Template:Gateway product name does, which is running on another physical machine. </ref>

Template:Fail Template:Safe Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail
7. Exploit + VM exploit + exploit against physically isolated Template:Gateway product name <ref>This is the same as attack number six, except in this case the adversary uses an extra vulnerability to break into Template:Gateway product name. Template:Project name is vulnerable to this form of attack.</ref> Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail
8. VM exploit <ref>Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the user's machine. The default [[Template:Non q project name short|Template:Non q project name]] and [[Template:Q project name short|Template:Q project name]] platforms will fall to this attack, the same as attack number six. Physical isolation defeats this attack in the same manner as per attack number six.</ref> Template:Fail Template:Safe Template:Safe Template:Fail Template:Safe Template:Fail Fail, see <ref name=qubes-vm-exploit>White is used as a more neutral color because according to this post by Joanna Rutkowska, exploiting a QubesOS virtual machine is more difficult than exploiting VirtualBox.</ref> Template:Fail
9. VM exploit + exploit against physically isolated Template:Gateway product name <ref>Consider the following example. A user visits a website over Tor with a torified Browser. The website uses a known or zero day vulnerability to gain remote code execution on the host. The adversary then uses an extra vulnerability to break into Template:Gateway product name. Template:Project name is vulnerable to this kind of attack.</ref> Template:Fail Template:Fail Template:Safe Template:Fail <ref name=fail>Fail, because it has already fallen victim to a VM exploit.</ref> <ref name=not>This is not usually run behind a physically isolated Template:Gateway product name.</ref> Template:Safe Template:Fail <ref name=fail /> <ref name=not /> Fail, see <ref name=qubes-vm-exploit /> <ref name=fail /> <ref name=not /> Template:Fail
10. Exploit against Tor process <ref>Consider the following example. A user visits a website over Tor with a torified Browser, with Tor controlling (processing) the traffic. The adversary uses a vulnerability to gain remote code execution on the user's machine. The machine where Tor is running knows the user's real IP address (Tor control protocol command: getinfo address), unless this machine is itself behind another Gateway which is difficult to configure; see Chaining Multiple Gateways.</ref> Template:Fail <ref name=chaininganonymizinggateways>Unless a user is Chaining Multiple Gateways, which is unfortunately only available to expert users. Template:Project name is vulnerable to this form of attack.</ref> Template:Fail <ref name=chaininganonymizinggateways /> Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail
11. Attack against the Tor network <ref>For example, an end-to-end correlation attack. Research has established that Tor is vulnerable to numerous other attack vectors. Any successful attack against Tor, where an anonymity operating system is dependent on it, will naturally deanonymize the user. The exception is users who are Chaining Multiple Gateways, which unfortunately is only available to expert users. Template:Project name is capable of defeating some attacks against Tor and associated components such as Tor Browser; for example, see the secure and distributed time synchronization mechanism and protocol and fingerprinting leak protection, along with the rest of the Design page.</ref> Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail
12. Backdoor <ref>Any backdoor in Tor would be fatal for operating systems which rely upon it, since it would open up an avenue for targeted attacks. Widespread attacks are more likely to be identified.</ref> <ref name=deterministic /> Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail Template:Fail
13. Hidden service domain name security after server software exploit Template:Safe <ref name=hidden_service_key_stored_on_gateway>When server software on Template:Workstation product name (anon-whonix) is (root) exploited, the attacker cannot steal the key of the onion service because it is stored on Template:Gateway product name (sys-whonix).</ref> Template:Safe <ref name=hidden_service_key_stored_on_gateway /> Template:Fail <ref name=Tails_noserver>Tails is not yet meant to be used as a server.</ref> Template:Fail <ref name=Tails_noserver /> Template:BlueBackground Not an operating system Template:BlueBackground Not an operating system ? <ref>This is safe in theory, but it is unclear if TorVM supports onion services.</ref> Template:Fail

Network Time-related

Introduction

This section presupposes the user is familiar with:

Terms that are used in the following table are defined below:

  • (VM host) update/crypto block: prevention of (VM host) operating system updates and cryptographic verification such as TLS / SSL in the (VM host) browser.
  • u/c-block: update/crypto block.
  • Tor blocked: prevention of connections to the Tor network until the clock is manually fixed.
  • Big clock skew: more than 1 hour in the past or more than 3 hours in the future. <ref name=source>Source: https://lists.torproject.org/pipermail/tor-talk/2012-February/023264.html</ref>
  • Small clock skew: less than 1 hour in the past or less than 3 hours in the future. <ref name=source />

Overview

Table: Network Time-related Issues

Template:Project name Default Template:Project name Physical Isolation Tails Tails in a VM TBB TBB in a VM Qubes OS TorVM
VM host time synchronization mechanism NTP Gateway: there is no VM host. Workstation host: NTP There is no VM host. Same as the operating system synchronization mechanism NTP There is no VM host NTP NTP
Operating system synchronization mechanism sdwdate sdwdate tordate and tails_htp tordate and tails_htp NTP NTP ?
Effect of a grossly inaccurate clock style="background-color: Template:Red"| Tor blocked style="background-color: Template:Red"| Tor blocked style="background-color: Template:Green"| tordate fixes the clock style="background-color: Template:Green"| tordate fixes the clock style="background-color: Template:Red"| Tor blocked style="background-color: Template:Red"| Tor blocked style="background-color: Template:Red"| Tor blocked
VM host time differs from operating system time Template:Yes <ref name=unsafe>Because the unsafe browser runs on the VM host which uses NTP, and the torified browser runs inside Template:Workstation product name (anon-whonix) which uses sdwdate.</ref> Template:Yes <ref name=unsafe /> Template:BlueBackground There is no VM host Template:Yes <ref>The VM host time is synchronized with NTP, and operating system time is synchronized with tails_htp.</ref> Template:No <ref name=same>An untorified host browser uses the same clock as TBB.</ref> style="background-color: Template:Yellow"| Possibly <ref name=maybe>The host and VM clock are both synchronized with NTP, but there still might be a difference since they are synchronized independently.</ref> Template:No
Unsafe browser time differs from torified browser time <ref>This is important because if the clock skew is too large and/or unique, non-anonymous and anonymous activity might be linked.</ref> Template:Yes <ref name=unsafe /> Template:Yes <ref>The time differs because Template:Workstation product name (anon-whonix) and Template:Gateway product name (sys-whonix) use separate sdwdate instances.</ref> Template:No <ref name=time>The unsafe browser and torified browser share the same clock via tails_htp</ref> Template:No <ref name=time /> Template:No <ref name=same /> style="background-color: Template:Yellow"| Possibly <ref name=maybe /> Template:No
Large clock skew attack against NTP <ref name=adversary>An attack initiated by an ISP-level adversary.</ref>: VM host effects style="background-color: Template:Red"| u/c-block style="background-color: Template:Red"| VM host u/c-block Template:BlueBackground There is no VM host style="background-color: Template:Red"| VM host u/c-block Template:BlueBackground There is no VM host style="background-color: Template:Red"| VM host u/c-block style="background-color: Template:Red"| u/c-block
Large clock skew attack against NTP <ref name=adversary />: operating system effects style="background-color: Template:Red"| Tor blocked style="background-color: Template:Red"| Tor blocked style="background-color: Template:Green"| <ref name=ntp>This assumes installation of a regular operating system using NTP which was used earlier, and the introduction of a clock skew by an adversary.</ref>; tordate fixes the clock skew style="background-color: Template:Green"| <ref name=ntp />; tordate fixes the clock skew style="background-color: Template:Red"| Tor blocked; u/c block style="background-color: Template:Red"| Tor blocked; u/c block style="background-color: Template:Red"| Tor blocked
Fingerprintable reaction <ref>Such as running tordate.</ref> when a large clock skew attack is used style="background-color: Template:Green"| No, fails identically to TBB style="background-color: Template:Green"| No, fails identically to TBB style="background-color: Template:Yellow"| Probably yes, see the fingerprint section above style="background-color: Template:Yellow"| Probably yes, see the fingerprint section above style="background-color: Template:Green"| TBB style="background-color: Template:Green"| TBB style="background-color: Template:Green"| No
Small clock skew attack against NTP <ref name=adversary />, VM host effects: Template:BlueBackground VM host u/c block (?) Template:BlueBackground VM host u/c block (?) Template:BlueBackground There is no VM host Template:BlueBackground VM host u/c block (?) Template:BlueBackground VM host u/c block (?) Template:BlueBackground VM host u/c block (?) Template:BlueBackground VM host u/c block (?)
Small clock skew attack against NTP <ref name=adversary />, operating system effects: style="background-color: Template:Green"| Template:Project name VMs: sdwdate fixes the clock skew style="background-color: Template:Green"| sdwdate fixes the clock skew style="background-color: Template:Green"| VM: tails_htp fixes the clock skew style="background-color: Template:Green"| tails_htp fixes the clock skew style="background-color: Template:Red"| If the user visits a page monitored by an adversary, they will know who is connecting <ref name=unique>Due to a unique clock skew introduced by an adversary.</ref> style="background-color: Template:Red"| If the user visits a page monitored by an adversary, the will know who is connecting <ref name=unique /> style="background-color: Template:Red"| If the user visits a page monitored by an adversary, they will know who is connecting <ref name=unique />

Usability

Table: Overall Usability

Template:Project name Tails Tor on the Host Qubes OS TorVM corridor
Difficulty: installing additional software while the IP address remains hidden <ref>That is, installing new software safely.</ref> style="background-color: Template:Green"| Easy <ref>In Template:Project name, it is possible to install a (Tor-unsafe) BitTorrent client. In the worst case it would be pseudonymous rather than anonymous, as the IP address would still be hidden.</ref> style="background-color: Template:Yellow"| Moderate <ref>Tails has a firewall to block non-Tor traffic, but an audit at the protocol level is still required. The Tails Security Page notes:

Until an audit of the bundled network applications is done, information leakages at the protocol level should be considered as - at the very least - possible.

</ref>
style="background-color: Template:Red"| Difficult <ref>The user must manually prevent non-Tor traffic, DNS leaks and protocol level leaks.</ref> style="background-color: Template:Green"| Easy style="background-color: Template:Yellow"| Moderate
Difficulty: installation of the base anonymity software style="background-color: Template:Green"| Easy style="background-color: Template:Green"| Easy style="background-color: Template:Green"| Easy style="background-color: Template:Red"| Difficult <ref>The user must install and set up the Gateway from source code.</ref>
Required knowledge to prevent serious user error <ref>For examples of what not to do, see DoNot.</ref> style="background-color: Template:Red"| Difficult style="background-color: Template:Red"| Difficult style="background-color: Template:Red"| Difficult style="background-color: Template:Red"| Difficult style="background-color: Template:Red"| Difficult
Pre-installed applications style="background-color: Template:Green"| Wide selection style="background-color: Template:Green"| Wide selection Template:BlueBackground None Template:BlueBackground Not applicable Template:BlueBackground Not applicable
Grossly inaccurate host clock style="background-color: Template:Yellow"| No connection to the Tor network until the clock is manually fixed style="background-color: Template:Green"| Uses tordate to fix the clock style="background-color: Template:Yellow"| No connection to the Tor network until the clock is manually fixed style="background-color: Template:Yellow"| No connection to the Tor network until the clock is manually fixed ?
Comprehensive documentation Template:Yes <ref>Documentation</ref> Template:Yes <ref>https://tails.boum.org/doc/index.en.html</ref> ? ? ?
Disable power savings in VMs Template:Yes <ref>https://github.com/Template:Project name short/power-savings-disable-in-vms</ref> style="background-color: Template:Yellow"| No, but there is no sleep mode ? ? ?

Features

Table: Features

Template:Project name Tails Tor Browser Qubes OS TorVM
Default desktop XFCE GNOME Template:BlueBackground Whatever the user has installed. Not an operating system XFCE
Multi-language support Template:No Template:Yes Template:Yes ?
Fits on a DVD Template:No Template:Yes Template:BlueBackground Not an operating system ?
VPN support: userVPNTordestination style="background-color: Template:Yellow"| Manual configuration is required <ref name=whonixvpnsupport>Necessary software is included, but there is no GUI to complete the process. For documentation on this optional configuration, see tunnel introduction.</ref> Template:No <ref name=tailsvpn>Tails status for VPN support: https://labs.riseup.net/code/issues/5858</ref> style="background-color: Template:Yellow"| Possibly can be manually installed (?) Template:Yes
VPN support: userTorVPNdestination style="background-color: Template:Yellow"| Manual configuration is required <ref name=whonixvpnsupport /> Template:No <ref name=tailsvpn /> ? Template:Yes <ref>By configuring the NetVM of the TorVM as a VpnVM.</ref>
VPN support: userVPNTorVPNdestination style="background-color: Template:Yellow"| Manual configuration is required <ref name=whonixvpnsupport /> Template:No <ref name=tailsvpn /> ? Template:Yes
IRC client pre-configured for privacy Template:Yes (HexChat) Template:Yes (Pidgin) <ref>https://tails.boum.org/contribute/design/#index42h3</ref> Template:BlueBackground Not an operating system Template:No
Flash support style="background-color: Template:Yellow"| Manual installation is required <ref>See Browser Plugin Security and Browser Plugins.</ref> Template:No, but HTML5 videos are functional <ref>Tails status for Flash support: https://labs.riseup.net/code/issues/5363</ref> style="background-color: Template:Yellow"| Manual installation is required ?
Mixmaster over Tor Template:Yes <ref>Installed by default, see Mixmaster.</ref> Template:No Template:BlueBackground Not an operating system Template:No
Ricochet IM<ref>https://en.wikipedia.org/wiki/Ricochet_%28software%29</ref> <ref name=torovertor /> style="background-color: Template:Yellow"| Manual installation is required <ref>See Ricochet IM.</ref> style="background-color: Template:Yellow"| Unsupported, but can be manually installed <ref>Tails wishlist.</ref> Template:BlueBackground Not applicable ?
FTP support style="background-color: Template:Yellow"| Partial <ref>Template:FTP</ref> Template:No (?) <ref>Tails status for FTP support: https://labs.riseup.net/code/issues/6096</ref> Template:BlueBackground Not an operating system ?
Download manager style="background-color: Template:Yellow"| Manual installation is required <ref>Users can install any download manager, preferably using SocksPort, although TransPort works as well. wget -c (pre-configured to use SocksPort) has also been tested to work.</ref> style="background-color: Template:Yellow"| Manually installation is required <ref>Users can manually install any download manager in Tails. It only needs configuration to use the proper SOCKS proxy.</ref> ? ?
Webmail can be used in the browser Template:Yes Template:Yes Template:Yes Template:Yes
Email client style="background-color: Template:Green"| Thunderbird style="background-color: Template:Green"| Thunderbird ? ?
Hidden service support style="background-color: Template:Yellow"| Manual configuration is required <ref>Hidden services can be used without IP address / DNS leaks, see onion service support. No GUI is available to setup an onion service, but it works well nonetheless.</ref> style="background-color: Template:Yellow"| Manual configuration is required <ref>This is possible via ordinary torrc mechanisms; see Persistence preset: Tor state</ref> ? ?
Hidden server configuration GUI Template:No Template:No <ref>Tails server: Self-hosted services behind Tails-powered Tor onion services</ref> ? ?
Support for free Wi-Fi hotspots Template:Yes <ref>When using VMs, this can be easily achieved on the host. For users relying on physical isolation, from Template:Project name 0.5.6 onward there is no unsafe browser. A separate third machine with clearnet access could also be configured.</ref> Template:Yes <ref>Tails has a unsafe browser for such tasks.</ref> Template:Yes <ref>The host operating system mechanism can be used.</ref> ?
Video / streaming software style="background-color: Template:Yellow"| Manual installation is required style="background-color: Template:Yellow"| Some applications are included, more can be manually installed Template:BlueBackground Not an operating system style="background-color: Template:Yellow"| Manual installation is required
Control port filter proxy Template:Yes <ref>See Dev/Control_Port_Filter_Proxy.</ref> Template:BlueBackground No Template:BlueBackground No Template:BlueBackground No
TBB about:tor success message Template:Yes Template:BlueBackground ? Template:BlueBackground ? Template:BlueBackground ?
Functional new identity option in Tor Button Template:Yes <ref name=niasdebian>The option is just as effective as comparable platforms, like Debian.</ref> Template:Yes <ref>

This option is fully functional in Tails, despite the quote below - see the additional footnote.

As noted on the Tails' website, https://tails.boum.org/doc/anonymous_internet/Tor_Browser/index.en.html#new_identity:

This feature is not enough to strongly separate contextual identities in the context of Tails as the connections outside of Tor Browser are not restarted.

Shutdown and restart Tails instead.

</ref> <ref name=niasdebian />

Template:Yes <ref name=niasdebian /> Template:BlueBackground ?
Default browser set to Tor Browser Template:Yes Template:Yes (?) Template:BlueBackground Not applicable Template:BlueBackground ?
File / link open confirmation Template:Yes Template:BlueBackground ? Template:BlueBackground ? Template:BlueBackground ?
I2P over Tor style="background-color: Template:Yellow"| Manual installation and configuration is required <ref>See I2P.</ref> Template:BlueBackground ? Template:BlueBackground Not an operating system style="background-color: Template:Yellow"| Manual installation is required (?)
JonDonym over Tor style="background-color: Template:Yellow"| Manual installation is required <ref>See JonDonym.</ref> Template:BlueBackground ? Template:BlueBackground Not an operating system style="background-color: Template:Yellow"| Manual installation is required (?)
RetroShare over Tor style="background-color: Template:Yellow"| Manual installation is required <ref>See RetroShare.</ref> Template:BlueBackground ? Template:BlueBackground Not an operating system style="background-color: Template:Yellow"| Manual installation is required (?)
Shared folder help Template:Yes <ref>https://github.com/Template:Project name short/shared-folder-help</ref> <ref>VirtualBox shared folders.</ref> <ref>KVM shared folders.</ref> ? ? ?
Higher boot resolution Template:Yes <ref>https://github.com/Template:Project name short/grub-screen-resolution</ref> ? ? ?
Verbose boot output Template:Yes <ref>https://github.com/Template:Project name short/grub-output-verbose</ref> ? ? ?
RAM-adjusted desktop starter Template:Yes <ref>https://www.whonix.org/wiki/Desktop#RAM_Adjusted_Desktop_Starter</ref><ref>https://github.com/Template:Project name short/rads</ref> ? ? ?

Circumvention

Table: Censorship Circumvention Options

Template:Project name Tails Tor Browser Qubes OS TorVM corridor
obfs4 Template:Yes <ref>See Bridges.</ref> Template:Yes Template:Yes ? ?
meek Template:Yes <ref>meek_lite is available from Template:Project name 14.</ref> Template:Yes <ref>https://git-tails.immerda.ch/tails/plain/config/chroot_local-includes/etc/NetworkManager/dispatcher.d/10-tor.sh</ref> Template:Yes ? ?
Snowflake Template:Yes <ref>Manual configuration is required, see: Snowflake.</ref> <ref>https://forums.whonix.org/t/replacing-meek-snowflake/5190</ref> Template:No <ref>https://redmine.tails.boum.org/code/issues/5494</ref> Template:Yes ? ?
Other Censorship Circumvention Tools ? ? ? ? ?

Conclusion

Each anonymity-focused software platform / application considered in this comparison has a different threat model, implementation, and use case. Further, the design and developer road map decisions are influenced by disparate philosophies and political views.

Objectively speaking, it is difficult to state that any one specific platform or tool is superior in all regards and circumstances. For instance, a simple analysis might conclude:

  • Template:Project name is better suited for high-security protection against passive surveillance methods and IP address / DNS leaks.
  • Tails is better suited for high-risk users who face aggressive, targeted surveillance.
  • Tor Browser on the host is sufficient for low-risk users unlikely to be tagged for targeted surveillance.
  • corridor is a useful addition, since a Tor traffic whitelisting (filtering) gateway provides an additional failsafe to prevent clearnet leaks.

Ultimately, the "best" anonymity software / distribution and configuration is informed by a realistic threat assessment of one's own personal circumstances, before any final decision is made.

Statement about Neutrality of this Page

General

An impartial comparison of anonymity platforms and tools is difficult, since contributors to this page are most likely Template:Project name users. Regardless, an imperfect comparison page is better than none at all. The reader should bear in mind that this wiki content might have been anonymously posted elsewhere, such as Wikipedia. The contributors to this page have decided to attach their pseudonyms.

Anonymous edits are allowed and are generally published within a short time frame. Readers who notice any mistakes can immediately edit the page. This entire article is published under a Free (as in speech) license (GPLv3+). <ref>Permission is granted by adrelanos (Patrick Schleizer) for anyone editing this page to shift the content to a more neutral place, like Wikipedia. Should it be required, Schleizer would also agree to dual / multi / re-licensing of this page under a different Free (as in speech) license, such as GFDL. Note that moving the article to Wikipedia is difficult to achieve anonymously, since they do not allow Tor user edits (and most people interested in this article are Tor users).</ref>

Different Views

Opinions should always be expressed carefully, particularly when analyzing the merits and weaknesses of other software projects. A range of different opinions already exist on this exact issue. Interested readers can refer to the following resources or add their own:

Systems Omitted from the Comparison

The following software platforms were not considered in this comparison, but may be included in the future:

See Also

Footnotes

Template:Reflist

Template:Footer {{#seo: |description=FREE Download Template:Project name. Privacy Protection. Anonymity Online. For Windows, macOS, Linux. |image=https://www.whonix.org/w/images/5/5f/Download-1019956-640.jpg }} Template:Header Template:Title Template:Anchor Template:Anchor Template:Anchor Template:Supported Platforms Icons

Host Knowledge Recommendation OS Virt Status Freedom
Template:AnchorWindows Newcomer Windows (Download) 30px 30px Production Template:Free
Linux Newcomer VirtualBox (Download) 30px 30px Production Template:Free
Template:AnchormacOS Newcomer macOS (Download) 30px 30px Production Template:Free
Qubes Advanced [[Template:Q project name short|Template:Q project name]] (Download) 30px 30px Production Template:Free
Template:AnchorLinux Advanced KVM (Download) 30px 30px Production Template:Free
QEMU Advanced Unsupported 30px 30px Experimental Template:Free
VMware Advanced Unsupported 30px 30px Experimental Template:Free
Any Advanced Unsupported 30px 30px Experimental Template:Free
2 PCs, personal computer, notebook Advanced x86 compatible 30px 30px Experimental Template:Free
Raspberry Pi 3 B (RPI3) Advanced [[Dev/Build_Documentation/Physical_Isolation#How_To_Install_Template:Gateway product name_on_the_Raspberry_Pi_3_B_.28RPI3.29|Template:Gateway product name Raspberry Pi 3 B (RPI3)]] 30px 30px Experimental Template:Free
32-bit Advanced [[Dev/64bit|Template:Project name 32 bit information]] 30px 30px Production Template:Free
Source Code Advanced Build Documentation (Download) 30px 30px Production Template:Free

Template:Footer